From 6838d19acc4697e995e5154583a3a3ca18f9dedd Mon Sep 17 00:00:00 2001
From: Shivaram Lingamneni <slingamn@cs.stanford.edu>
Date: Thu, 9 Jan 2020 04:38:59 -0500
Subject: [PATCH] don't check the real IP for bans on proxy-before-TLS

In the k8s PROXY-before-TLS setting, we don't know all the IPs
of the load balancers, so we can't whitelist them, so they're at
risk of being d-lined.
---
 irc/client.go | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/irc/client.go b/irc/client.go
index e89a64ce..e45428d0 100644
--- a/irc/client.go
+++ b/irc/client.go
@@ -222,7 +222,10 @@ func (server *Server) RunClient(conn clientConn, proxyLine string) {
 		isBanned, banMsg = server.checkTorLimits()
 	} else {
 		realIP = utils.AddrToIP(conn.Conn.RemoteAddr())
-		isBanned, banMsg = server.checkBans(realIP)
+		// skip the ban check for k8s-style proxy-before-TLS
+		if proxyLine == "" {
+			isBanned, banMsg = server.checkBans(realIP)
+		}
 	}
 
 	if isBanned {